On Sun, 10 Aug 2008, Larry Seltzer wrote:
>>> Vixie said "11 seconds". So the patch added a work factor of roughly
> 3,600, rather than the 64K that *full* randomization would have added.
> Or he just got lucky and it happened to work in the first 5% of the
> attack...
>>> But then, it was *known* that the patches merely made it harder to
> hit the hole, and DNSSEC is needed to *totally* fix the issue.
>> Well then we're completely screwed because nothing is going to get
> DNSSEC implemented quickly, and the 10 hour number is going to get
> shorter with improvements in hardware and increased parallelism.
I guess its time for DNS greylisting and DNS White Lists.
I can't wait for bind plugins.
DD:'ing dns-ops, let's move this discussion there.
Gadi.